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Abstract. The problem of reliably transferring data from a set of N-p producers to a set of Nc 
consumers in the BAR model, named N-party BAR Transfer (NBART), is an important building block 
for volunteer computing systems. An algorithm to solve this problem in synchronous systems, which 
provides a Nash equilibrium, has been presented in previous work. In this paper, we propose an NBART 
algorithm for asynchronous systems. Furthermore, we also address the possibility of collusion among 
the Rational processes. Our game theoretic analysis shows that the proposed algorithm tolerates certain 
degree of arbitrary collusion, while still fulfilling the NBART properties. 

1 Introduction 

Peer-to-peer networks can be used for executing computationally intensive projects, as shown by 
the Boinc infrastructure pQ. Building systems on this kind of networks may be quite challenging due 
to the existence of Byzantine processes, whose behaviour is arbitrary, and of Rational processes, 
which may deviate from the specified protocols if they can increase their utility. A system model 
that captures this variety of behaviours has been coined the BAR model [2], named after the three 
classes of processes (Byzantine, Altruistic, and Rational) that it explicitly considers. 

Our work focuses on the particular problem of reliably transferring data from a set of N-p 
producers to a set of Nc consumers in the BAR model, named N-party BAR Transfer (NBART). 
This problem is an important building block for volunteer computing systems, since it allows 
volunteers to transfer intermediate or final results of the computations to another set of volunteers, 
after storing the data for some time. For instance, if computations are to be performed using a 
model such as MapReduce, mappers may invoke the NBART primitive to transfer the intermediate 
results to reducers. 

Although an algorithm that solves this problem has already been devised for synchronous sys- 
tems [3], in a peer-to-peer network it is often unrealistic to assume that there is a known upper 
bound for the execution time and the communication delay. With this in mind, this paper addresses 
the NBART problem in an asynchronous system. 

Furthermore, this paper also addresses the problem of collusion, which is a real issue in peer- 
to-peer networks due to attacks, such as sybil and white washing. In addition to arbitrary collusion 
of Byzantine players, we consider that Rational processes may create collusion groups, including 
producers and consumers. 



Related Work Since models based on traditional Game Theory assume that all processes follow 
the selfish strategy that maximises their utility function, they fail to account for arbitrary behaviour 
that may arise from Byzantine faults. In face of this limitation, traditional utility functions must 
be augmented to accommodate Byzantine-awareness. Additionally, alternative rules for predicting 
how the game will be played have also been proposed to address Byzantine behaviour. 

To the best of our knowledge, the work of Eliaz et. al. [I] was the first to address the issues 
above, introducing the notion of £>Fault Tolerant Nash Equilibrium (A;-FTNE). In this context, a 
profile of strategies is fc-FTNE if the strategy of each player is a best response to the strategy of 
other players, independently of the identity of Byzantine players and the arbitrary strategy they 



follow. This concept was later applied to virus inoculation games [5]. In [6], the authors discuss 
the limitations imposed by regret freedom on communication games, by proving that there are 
no non-trivial equilibria that provide regret-freedom strategies. Then, they propose a different 
approach named regret-braving where players are willing to obey the specified solutions basing 
on their expectations about the environment, and these strategies are regret-free as long as those 
expectations hold. In our work, we consider that players are risk-averse, that is, they always hold 
the expectation that Byzantine players will follow the worst possible strategy to their utility. 

In practice, rational players can seek maximising their utility function by colluding with other 
players, i.e., forming coalitions. Therefore, the solution concepts are more robust if they account 
for such rational behaviour. Aumann [7J addressed this issue by defining an equilibrium as a profile 
of strategies where no deviating collusion strategy provides a greater utility for all players of the 
group. Then, Bernheim et. al. [8] introduced the notion of coalition-proof Nash equilibrium, where 
no deviations by a coalition can perform better, although they do not allow further deviations to the 
collusion strategy. This work was later extended to take into consideration correlated strategies |9j. 

The work of [10] considered the existence of processes with unexpected utilities and collusion. 
The authors proposed the solution concept of (k, t)-robustness, where no process can increase 
its utility by deviating in collusion with up to k — 1 other processes, regardless of the Byzantine 
behaviour of up to t processes. This notion is stronger than the previous models for collusion, since it 
accounts for arbitrary collusion where it should be true that no player performs better by deviating 
from the equilibrium strategy, even if that implies decreasing the utility of other players within the 
coalition. Unfortunately, in certain scenarios such as communication games (where players incur 
communication costs), it was shown that no game can be (k, i)-robust for k,t > 

Additional literature relevant to our results include works on agreement in the BAR model [2|llj 
and data dissemination [12|13|l4] , which studied protocols tolerant to the BAR model and showed in 
which conditions those solutions provide Nash equilibriums. In |15| . the authors studied the impact 
of altruism on a repeated game modelled by the BAR model. All these works assume repeated 
interactions of processes in a cooperative service. On the other hand, our paper considers one-shot 
games, and therefore addresses the need to provide equilibrium strategies for Rational processes to 
follow the specified algorithm based on incentives provided in a single instance of NBART. 

Contributions The first contribution of this paper consists in an algorithm that solves NBART 
in asynchronous systems. We show that the proposed algorithm is correct, assuming that all non- 
Byzantine processes follow it, for Np > 2Fp + 1 and Nq > Fc + 1; where Fp and Fq are upper 
bounds on the number of Byzantine producers and Byzantine consumers respectively. We also show 
that the presented algorithm obtains asymptotically optimal bit complexity in certain scenarios. 

The second contribution consists in the game theoretic analysis of the proposed algorithm. Since 
processes incur communication costs, our algorithm cannot be (k, t)-robust [llj . hence we rely on 
a weaker notion of Byzantine aware utility function to account for Byzantine behaviour, based on 
the notion proposed in [TT] . 

Given that we cannot ensure that the players within a coalition follow the algorithm, we propose 
a new solution concept, which is an adaptation of /c-resilience to account for collusion in the following 
way. We define an equilibrium as a profile of strategies a where members of a coalition are interested 
in deviating from er only if their behaviour, as observed by other processes, is equivalent to er. 

We assume that the size of each group of Rational colluding processes is bounded by a constant 
Nj- = Nj- + Ntf, where Nj- is the number of members of the colluding group that are producers and 
Nj- is the number of consumers on the same group. We show that, if Np > max(i ? -p, Nj-) + F-p + 1 
and Nq > Fc + Nj- + 1, then the algorithm provides such equilibrium, implying that processes from 
any coalition follow a strategy that ensures that the NBART properties are fulfilled. An important 
consequence of this is that, in the absence of collusion, the algorithm provides a Nash equilibrium. 
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Paper Organisation The remainder of the paper is structured as follows. The system model and 
the NBART problem are defined in Section [2j The algorithm that solves NBART in the given model 
is presented in Section [3l along with the proofs of correctness and a simple complexity analysis. In 
Section [H we perform the game theoretic analysis of the algorithm. 

2 System Model 

We assume an asynchronous system composed of N processes or players (we will use the term 
player only when performing the Game Theoretic analysis; in any other case, we will use the name 
process) . Processes are connected by a fully-connected network and can communicate using reliable 
authenticated point-to-point communication channels [16J. 

We make the distinction between identity, process/player, and coalition. An identity is a tuple 
(i,pki, ski), where % is an identifier and pk{ and ski are the corresponding public and private keys. 
There is a set of identities X = VLiC, where V and C are the sets of producer and consumer identities, 
respectively, such that j^-V = N-p and #C = Nq- Players are the decision- making entities of our 
Game Theoretic analysis and are represented by a single identity. Therefore, when referring to the 
process that holds the identity (i,pki, ski), we will simply refer to it as i. If i £ V , the corresponding 
process is referred to as a producer, otherwise, it is called a consumer. Finally, Np + Nq = N. 

As defined by the BAR model, a player can be Altruistic (if it follows the algorithm), Byzantine 
(if its behaviour is arbitrary), or Rational (if it follows the strategy that maximises its utility 
given the expectations regarding the strategies followed by other players). We assume that Rational 
processes adhere to the promptness principle [2], in the sense that if the expected utilities of following 
the algorithm and deviating by delaying messages are equivalent, then processes do not deviate. It 
is said that a player i signs information with ski by invoking Si(data). 

2.1 NBART Problem 

The NBART Problem can be defined as follows. Each producer p produces an arbitrarily large 
value v p by invoking the deterministic function produce(p, v p ), such that any two non-Byzantine 
producers produce the same value, named the correct value. Consumers must consume only one 
value v, sent by some producer, by invoking consume{c,v). The invocation of this primitive proves 
that, indeed, c consumes the value. To deal with Rational behaviour, we rely on the participation 
of an abstract entity named Trusted Observer (TO), whose function is to gather cryptographic in- 
formation from the participants of each transfer and reward processes according to their observable 
behaviour. To assess the behaviour of each process, TO uses two predicates /iasProd(evidence, p) 
and hasAck (evidence, c) that take as input the evidence produced by TO to indicate, respectively, 
if producer p participated in NBART and if consumer c notified the reception of the correct value. 
TO is said to eventually produce evidence about the transfer if, when hasProd and hasAck become 
true for all corresponding non-Byzantine producers and consumers, TO eventually calls the primi- 
tive certify(TO, evidence) after that. With these definitions, the NBART problem is characterised 
by the following properties: 

— NBART 1 (Validity): If a non-Byzantine consumer consumes v, then v was produced by some 
non-Byzantine producer. 

— NBART 2 (Integrity): No non-Byzantine consumer consumes more than once. 

— NBART 3 (Agreement): No two non-Byzantine consumers consume different values. 

— NBART 4 (Eventual Consumption): Eventually, every non-Byzantine consumer consumes a 
value. 

— NBART 5 (Evidence): TO eventually produces evidence about the transfer. 
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— NBART 6 (Producer Certification): If producer p is non-Byzantine, then hasProd(evidence, p) 
eventually becomes true. 

— NBART 7 (Consumer Certification): If consumer c is non-Byzantine, then hasAck(evidence, 
c) eventually becomes true. 

3 Asynchronous NBART 

We now describe an algorithm that solves the NBART problem in an asynchronous environment. 
We first provide an overview, then proceed to the detailed description of the algorithm, and we 
conclude with a theoretical analysis, where we prove the correctness of this solution and perform a 
complexity analysis in terms of message and bit complexity. 

3.1 Overview of the Algorithm 

The algorithm can be briefly described as follows. Each producer p owns a block (b p ) that belongs 
to the set of Np blocks obtained from the value v by using Reed-Solomon codes, such that v can 
be retrieved from any subset of B blocks (Np > B + Fp). Then, p strives to transfer b p along with 
the signature of the vector that contains the hashes of all blocks to a subset of consumers denoted 
by consetp. Each consumer c only needs to receive B correct blocks and Fp + 1 signatures of the 
same vector of hashes to consume the value. However, c must continue to process any received 
information and send it to TO, which must (re-)invoke certify(evidence) whenever it receives new 
information, in order to fulfil the property NBART-5. 

3.2 Algorithm in Depth 

The algorithm is depicted for producers in Alg. [IJ for consumers in Alg. [2] and Alg. El and for TO 
in Alg. [H Producers use Reed-Solomon codes to reduce the communication costs of transferring 
an arbitrarily large value. The value v, whose length in bits is denoted by l v , is split into Np 
blocks of size ^, such that any subset of B blocks is sufficient to retrieve the original value, where 
1 < B < Np — Fp and B < l v . There is a function RS-ENC(v,Np,B,uj) that, given the correct 
value v , the number of producers Np, the number of blocks B, and the word size oj, returns a vector 
v containing the N-p blocks, where 2 U > Np. Let h v denote the vector containing the hashes of 
each of the blocks from v. The inverse function RS-DEC(v' ,Np,B,uj,h v ) is defined as follows: if 
there are at least B blocks from v' whose hash is in h v , then it returns the value v; otherwise, it 
returns _L. We consider that all arithmetic operations are performed over elements of the Galois 
Field GF(2 UJ ). 

We consider that each process is unequivocally identified by an index, between and Np — 1 for 
producers, and between and Nq — 1 for consumers. Each consumer Cj uses a deterministic function 
prodset c . to determine the set of producers that are supposed to send it their blocks, defined in 
such a way that each consumer is related to exactly B + Fp producers (in this way distributing 
load among producers). A possible mapping function is the following: prodset c = {p. L € V\i E 
[k...(k + B + Fp — 1) mod Np], k = j(B + Fp) mod Np}. It is useful to define the function that 
establishes the inverse relation conset Pi = {cj £ C\pi £ prodset Cj \ for each producer pj. These 
definitions ensure that each consumer is able to receive at least B blocks from non-Byzantine 
producers, therefore being able to retrieve the correct value. In addition, the load is distributed 
across the producers such that V pe -p : #conset p = n => ^ P 'eV\{p} '■ n — 1 < # consetp < n + 1. 

Each producer p starts by storing the set of blocks from v by invoking RS-ENC. Note that each 
producer will only be required to transmit one of these blocks (each producer transmits a different 
block). However, each producer is still required to send h v . Therefore, each producer then sets the 
vector hashes to h v (Alg. [H lines 4-7). Then, p transfers its block along with h v to all consumers 
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of consetp in a Block message (lines 8-10), while sending Summary messages to the remaining 
consumers only containing h v (lines 11-13). Both these messages are signed with the public key 
of the producer. Notice that, in the Block message, it is not necessary to sign the block, for the 
signature of the hashes already authenticates the block. 



Algorithm 1: NBART (p G V) 

01 upon init() do 

02 blocks := [±] N V; 

03 hashes :=[A.] N v<, 

04 upon produce(p, v) do 

05 blocks := RS-ENC(value,iV-p,_B,w); 

06 forall i e V do 

07 hashes[i] := /ias/i(blocks[i]); 

08 signature := s p (Block 1 1 hashes); 

09 forall c £ consetp do 

10 send(p, e, [Block, blocks[p], hashes, signature]); 

11 signature := s p (SuMMARY||hashes); 

12 forall c 6 C \ consetp do 

13 send(p, c, [Summary, hashes, signature]); 



In turn, each consumer c keeps all the received data blocks in a vector blocks and the received 
vectors of hashes (along with the signatures) in hashvecs. In addition, there is a set missing that 
keeps the identities of the producers that have not yet sent any signed information. Finally, correc- 
thashvec is the correct vector of hashes, that is, the vector that is sent by at least F-p + 1 producers, 
and correctproducers stores, for each producer, the value _L if it has not yet sent any message, or 
the signature of the message sent by the producer. 

Each consumer uses the functions verify sig(i,d) and verifyhash(b,h) to verify the signature 
by i of d and the hash of b when compared to h, respectively. Consumer c is in one of three 
states: init, gotHashes, and consumed, c is in state init when hashvecs does not contain a majority 
(F-p + 1) of identical vectors of hashes. The function minimumH ashes (Alg. [2j lines 8-12) marks 
the transition between init and gotHashes, by setting correcthashvec to a non-null value, when the 
required majority of hashes is gathered by c. Procedure consume- and-report (lines 16-23) makes 
the transition from gotHashes to consumed when the consumer gathers at least B correct blocks 
and, therefore, the invocation of RS-DEC returns a non-null value. In this case, the consumer 
consumes the value (line 19) and prepares a report intended to TO (lines 20-23), which is sent by 
invoking the procedure report (lines 13-15). This report contains the vector correcthashvec and the 
signature of all the producers that already sent correct messages to c, i.e., messages that contained 
correcthashvec. 

Whenever a consumer c receives a Block message from a producer that belongs to missing n 
prodset c (Alg.[3j line 1), c removes p from missing if the signature is valid (lines 2-3) and, according 
to its state, performs one of the following actions: i) If c is still in state init, then it stores the 
received information in the appropriate vectors and invokes minimumHashes (lines 4-8), in order 
to verify if it has already gathered a majority of identical vectors of hashes. If that is the case, then 
c invokes consume- and-report (lines 9-10). ii) If c is in state gotHashes, then it adds the received 
vector of hashes along with the signature to hashvecs, stores the block, and invokes consume-and- 
report (lines 11-15). hi) If c is in state consumed, then it adds the signature of the producer to 
correctproducers and reports the information received from producers to TO (lines 16-18). 

An almost identical approach is followed by c whenever it receives a Summary message, aside 
from the fact that in this case c does not expect to receive any block (lines 19-33). 
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Algorithm 2: NBART (c G C): Part I 



01 


upon init do 


02 


value • = 1 • 


03 


corrccthashvec := _L; 


04 


Vl Q cVlAT^/^G • [ 1 1 ^^^P ■ 

llclt)llVt^L,a . — I—*— J ; 


05 


hlncks — [ 1 ] N V ■ 


06 


missing := V; 


07 


corrcctproduccrs := [X]^; 


08 


function minifYiuTYiHdsheslYicisYivccs^ is 


09 


if 3h : #{p|hashvecs[p] = (h, *)} > F v + 1 then 


10 


return h; 


H 




12 


¥*fi , i"ii¥*n 

I ClUI 11 _l_j 


13 


jji ^-'^.^v'vj. \il t: / cfJL/i u la 


1 A 
11 


signature : = s c (Report 1 1 corrccthashvec corrcctproduccrs) ; 


15 


tpft die TC^ Rpport criVvoct\i f\ slivnr pnrrpr , t~nrnH i icpt*. o"ti a tn rol t ■ 

ocituii l-^ j. i„y ^ 1 ± tdr w rv ±^ t_<*_jr l \_ ^ Liiic^oii vll^ laji i i_ \_, u yj i li t_< r o ^ oi^iic^LrHicj/^ 


16 


procedure consume- and-report is 


17 


value := RS-DEC(blocks, TV-p, B, oj, correcthashvec); 


18 


if value ^ _L then 


19 


consume(c, value); 


20 


forall p £ "P do 


21 


if hashvccs[p] = {corrccthashvec, signature) then 


22 


corrcctproduccrs [p] := signature; 


23 


report (); 



The trusted observer only waits for Report messages from consumers to include all the received 
information in the array evidence (lines 3-5). In addition, TO repeatedly tries to produce the 
evidence about the transfer whenever it receives new information (line 6). 

3.3 Predicates 

We now define the predicates hasProd and hasAck. It is said that producer p is certified by consumer 
c € consetp iff evidence[c] = (h v , report) and report[p] = s p (Block, h v ). We say that producer p is 
certified by consumer c <G C\conset p iff evidence [c] = (h v , report) and report[p] = s p (Summary, h v ). 
Let V CV and C Q C be the greatest sets that fulfil the following conditions: i) for each p GP and 
c € C, p is certified by c; and ii) for each c € C, c invokes consume(c,v). 
With this in mind, we now define the predicates as follows: 

— For the predicates to be true for any process, #P > Np — Fp and #C > Nq — Fq; 

— has Prod (evidence, p) is true iff p G V; 

— has Ack (evidence, c) is true iff c £ C 

3.4 Correctness 

In this section, the correctness of the above algorithm is proven in an asynchronous environment, 
assuming that Np > 2Fp + 1, Nq > Fq + 1, and that all non-Byzantine processes follow the 
algorithm. In the following two lemmas, we start by showing that the consumers eventually gather 
enough information to consume the correct value. 

Lemma 1. For each non-Byzantine consumer c G C, minimumHashes eventually returns exactly 
one vector h* ^ ± and h* = h v . 
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Algorithm 3: NBART (c G C): Part II 



01 upon deliver(p, c, [Block, pblock, phashes, msgsig]) A p £ missing n prodset c do 

02 if verifysig(p, Block] |phashes, msgsig) then 

03 missing := missing \ {p}; 

04 if verifyhash(pblock, phashcs[p]) then 

05 if correcthashvec = _L then 

06 hashvecs[p] := (phashes, msgsig); 

07 blocks [p] := pblock; 

08 correcthashvec := minimurnH ashes (hashvecs); 

09 if correcthashvec 7^ _L then 

10 consume- and-report (); 

11 else if value = _L then 

12 if phashes = correcthashvec then 

13 hashvecs[p] := (phashes, msgsig); 

14 blocks[p] := pblock; 

15 consume- and-report (); 

16 else if phashes = correcthashvec then 

17 correctproducers[p] := msgsig; 

18 report (); 

19 upon deliver(p, c, [Summary, phashes, msgsig]) A p £ missing nP \ prodset c do 

20 if verifysig(p, Summary| |phashes, msgsig) then 

21 missing := missing \ {p}; 

22 if correcthashvec = _L then 

23 hashvecs[p] := (phashes, msgsig); 

24 correcthashvec := minimumHashes(hashvecs); 

25 if correcthashvec ^ _L then 

26 consume- and-report (); 

27 else if value = _!_ then 

28 if phashes = correcthashvec then 

29 hashvecs[p] := (phashes, msgsig); 

30 consume- and-report (); 

31 else if phashes = correcthashvec then 

32 corrcctproducers [p] := msgsig; 

33 report (); 



Proof. Every non-Byzantine consumer receives h v from all non-Byzantine producers, eventually. 
Since N-p > 2Fp + l, only the vector h v can be sent by F-p + 1 producers. Therefore, minimurnH ashes 
only returns a non-null vector h* if h* = h v and this occurs eventually. Also, when correcthashvec 
becomes non-null, c never invokes minimumHashes again. □ 

Lemma 2. For each consumer c € C, c eventually invokes consume (c,v), and only once. 

Proof. It follows from Lemma Q] that, for each non-Byzantine consumer c, correcthashvec is eventu- 
ally set to h v , and c eventually starts invoking consume- and-report. By the fact that producers send 
their blocks to all consumers of conset, and by the conditions Np > B-\-Fp and #prodset c = B+F-p, 
c eventually receives B blocks, correct according to h v . Hence, RS-ENC eventually returns v, and 
only v by the property of non-collision of hash functions. A trivial inspection of the algorithm shows 
that, once value is set to v ^ _L, c consumes v and never invokes consume- and-report again. □ 

Lemma 3. For each non-Byzantine producer p and each non-Byzantine consumer c € consetp, 
eventually c certifies p. 

Proof. According to the algorithm, p always sends a Block message containing its block and 
s p (Block| \h v ) to all c S conset p , whereas p sends a Summary message to all c G C \ conset p , 
containing Sp(SuMMARY||/i„). If c receives this information when it is still in one of the states init 
and gotHashes, then, by Lemma El c eventually sends a report to TO containing this information. 
If c is already in state consumed, then c immediately sends the report containing this information 
when it receives the message from p. Either way, c eventually certifies p. □ 
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Algorithm 4: NBART (trusted observer TO) 

01 upon init do 

02 evidence := [-L] w c ; 

03 upon deliver(c, TO, [Report, hashesvec, producers, signature]) do 

04 if verifySig(c, Report 1 1 hashesvec 1 1 producers, signature) then 

05 evidence[e] := (hashesvec, producers); 

06 certify (TO, evidence); 



Lemma 4. There exist sets V and C of non-Byzantine producers and non- Byzantine consumers, 
respectively, such that: i) ff-V > N-p — F-p and #C > Nq — Fc; ii) for each p £ P and c £ C, c 
eventually certifies p; and Hi) for each c G C, c eventually invokes consume (c,v), where v is the 
correct value. 

Proof, i) follows from the fact that there are N-p — Fp non-Byzantine producers and Nq — Fq non- 
Byzantine consumers; ii) follows from Lemma O and iii) follows from Lemma [2j □ 

The next theorem concludes the proofs of correctness by showing that each NBART property 
is fulfilled by the presented algorithm. 

Theorem 5. The proposed algorithm solves NBART in an asynchronous environment, assuming 
that all non-Byzantine processes follow the algorithm. 

Proof. The proof is performed individually for each property: 

— ( Validity): By Lemmas [1] and [2] and by the non-collision property of hash functions, c consumes 
the correct value, which is produced by all non-Byzantine producers. 

— (Integrity): Follows from Lemma [2j 

— (Agreement): It follows directly from Validity and the fact that all non-Byzantine producers 
send a block corresponding to the same value. 

— (Eventual Consumption): Follows from Lemma [2j 

— (Evidence): TO invokes certify (evidence) whenever it receives new information, either from 
producers or consumers. Thus, whenever hasProd(evidence,p) and hasAck (evidence, c) become 
true for each non-Byzantine producer p and non-Byzantine consumer c respectively, TO invokes 
certify (evidence) . 

— (Producer and Consumer Certification): Follows from Lemma HI 

□ 



3.5 Complexity Analysis 

The algorithm is evaluated in terms of message and bit complexity. The message complexity is 
O(NpNc) due to Nq messages sent by each producer that contain the signature of h v . However, 
since the value may be arbitrarily large, the size of each message may vary significantly, so it is 
interesting to also evaluate the number of bits exchanged, that is, the bit complexity. For this 
analysis, let l v , l s , and 1^ denote the bit length of the value, a signature and an hash. The bit 
complexity is 0(N c (B + Fp) 1 -^ + N v N c (l s + Npl h )). Notice that, if B > O(Fp) and l v » l s ,l h , 
then the bit complexity is 0(Nc), which is asymptotically optimal, since there must be at least a 
value transfer per consumer. 
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4 Game Theoretic Analysis 



The purpose of this analysis is to show that it is in every Rational process interest to follow the 
algorithm. We take into consideration some degree of arbitrary collusion. 

4.1 Definitions 

The algorithm is modelled as a coalitional game T = (X, T, Ex, (ht)teT, ( u i)iei) : 

— 1 = V U C U {TO} is the set of players. 

— T is the set of non-empty subsets of T\ {TO}, which contains all the possible coalitions. Each 
coalition t G T may contain simultaneously producers and consumers, represented by t-p = tdV 
and tc = t fl C, respectively. 

— Ex is a set containing all the profile of pure strategies ax followed by all players of X. E t for 
t G T denotes the set of all collusion strategies the players of t may follow. 

— >zt is a preference relation on Ex x Ex- We assume that >zt is transitive and reflexive. We can 
define the relation of strict preference >~t as: for any two profiles of strategies cr x , cr' x G Ex, 
a x >~ t <y' x iff ~<(<t i >zt &x)- ^ a x ^* °z> * nen an ^ ne players of t will always follow a x over cr' x . 

— Ui is the utility function of each player i £ I, defined as Ui(crx) = A(o"z) — oti(erz), where /3j(<7x) 
are the benefits and ai(crx) the costs i incurs when players obey crx- 

Sometimes, we will denote the composition of two profiles a a and ctb as ctaub = {o"a,<tb), 
where A and B are any two disjoint sets of players. Conversely, Ui{cr a,&b) is equivalent to u^ctaub)- 
Each producer p obtains a benefit /3-p iff hasProd (evidence^) eventually becomes true, whereas each 
consumer c obtains a benefit f3c iff hasAck (evidence, c) eventually becomes true. It is assumed that 
for all p G V, frp > a p (crx), and for all c G C, /?c > a c ((Ti), where <tj is the profile of strategies 
where all players follow the algorithm. 

A coalition t is said to be Rational if the preference relation y t fulfils the following condition: 

VietV C r x ez x , C r* t eZt u i( a 'z) > > ^ (<rt,<rx\t) (o"t,o"x\t)- 

We assume that the same relation holds, by only replacing > for > and >r< for It follows that 
if #t = 1 and the only player i € t is Rational, then for any two profiles of strategies cr x , cr' x G JCx, 
°"i — * °"x ^ ^("z) — u i{ a x)- On the contrary, if #i = 1 and the player i G t is Altruistic, then t 
is also said to be Altruistic and it is true that (cr t ,cr x ^ t ) y t (cr x ) for all cr* x G Ex and considering 
that crx denotes the profile of strategies where all players follow the algorithm. In any other case, 
t is Byzantine, implying that ^ is arbitrary due to the Byzantine behaviour of some player from 
t. It is important to notice that, if t is Byzantine, then all players of t are also considered to be 
Byzantine, even if some of them have Rational intentions. A coalition t is said to be a producer 
(t G Tj>) if t-p ^ and it is said to be a consumer (t G Tc) if tc / 0. The purpose of these definitions 
is to model scenarios of arbitrary collusion where, for instance, a producer p never executes any 
local function to produce the value. Instead, it requests the hash of the blocks to other player i, 
signs this information, and sends it to i. Then, i may transfer the block and the signature of p to 
all the consumers that expect this information, as if it were sent by p. 

For simplicity, we model Byzantine behaviour as a single coalition composed by up to Fp + Fc 
players. We consider an arbitrary number of non-Byzantine coalitions, as long as each coalition is 
never composed by more than Nj- producers and Nj- consumers. The distinction between producers 
and consumers will allow us a more refined analysis of the bounds on the minimum number of 
producers and consumers. If we only considered a single parameter, the bounds would be stricter 
than necessary. As it will be shown later, we now require the following conditions to hold for the 
algorithm to be tolerant to collusion: Np > max(Fp,Nj y ) + Fp + 1 and Nc > Fc + Nj- + 1. 
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4.2 Expected Utility and Solution Concept 



We use the notion of Byzantine-aware utility function for risk-averse players introduced in [IT]. An 
improvement of this work for models where players may be risk-seekers is left for future work. Let 
Tp and Tc denote the set of Byzantine producers and consumers, respectively and let iv-p £ lip 
and 7vq £ lie be the corresponding profiles of strategies. Let us denote by ^x\t,-k c ^c P ro ^ e °f 
strategies where all non-Byzantine players follow the strategy specified by <tj, Byzantine producers 
follow the strategies of up and Byzantine consumers obey the strategies of 7vc ■ The expected utility 
of each player i £ X \ T is defined as follows: 

Ui{cr M ) = min o min ^{a 1 ^ ). (1) 

Recall that, since we consider communication costs, a solution concept as strong as (k,t)- 
robustness is impossible in our case. To overcome this impossibility result, we use the concept of 
^-resilience combined with the Byzantine aware utility function defined above. However, we still 
cannot ensure that no player from a coalition t can increase its utility regardless of whether some 
other player obtains a lower utility or not. What we intend to show is that, regardless of the 
preferred collusion strategy of each coalition, the chosen strategies fulfil the NBART properties. 

In order to formalise this intuition, we define the observable behaviour of each coalition t £ T 
for the profile of strategies at as a multi-set of events triggered in each player i £ I\t that are 
influenced by er t , which we denote by ^j(tr^). For any player i £ X \ t, the delivery of a message 
sent by some player j £ t is an event. In addition, there are two events triggered in TO, namely 
produce(p,v) for each p £ tp and consume(c,v) for each c £ tc- Henceforth, the meaning of a 
producer producing a value or a consumer consuming a value is that the corresponding event is 
eventually triggered in TO. 

We say that collusion profile cr\ £ U t is compliant with the profile ax = (a t , a%\t) ' 1 ^iex\t ( Pi( a 't) ~ 
4>i{(Tt)- The set of profiles of strategies compliant with ax is denoted by Ut(&x), where cr t £ U t (ax)- 
The solution concept we use in this work, named n collusion tolerance (n-cotolerance), is similar to 
the concept of /c-resilience, aside from the fact that we do not require that players in collusion follow 
the algorithm exactly; only that they follow a profile of strategies from Ut(ax)- More precisely: 

Definition 6. For any n £ N, a profile of strategies ax is n-cotolerant iff for all t £ T such 
that fft < n, for all a\ £ E t {ax) such that (cr^o-jy) y_ t ax, and for all a' t £ E t \ T, t {ax), 
(o'tjO'xv) >~t (cr' t ,cri\t). 

The above definition is generic and may be of independent interest. In order to apply it to the 
NBART problem, we additionally need to capture the distinction between producers and consumers. 
Therefore, we introduce two parameters x, y £ N, that establish the limit on the number of producers 
and consumers within the coalition respectively, such that n > x,y and n < x + y. With this 
definition, if n = 1, then there is no collusion among non-Byzantine players. Henceforth, we will 
say that a profile of strategies ax is (n, x, y)-cotolerant iff it is n-cotolerant, n > x,y and n < x + y, 
and for all t £ T fftp < x and fftc < y. 



4.3 Tolerance to Collusion 

The purpose of this section is twofold: i) show that, considering that ax denotes the profile of 
strategies where all players follow the algorithm, for any combination of Byzantine and Rational 
collusions, and any coalition t, if all players of t follow a profile of strategies from Ut(ax), then the 
NBART properties are fulfilled; and ii) show that any profile of strategies a\ £ Ut is preferable to at 
only if a\ £ Et(ax)- The proofs of this section rely on the assumption that Np > max(i ? p, N£) + 
Fp + 1 and N c > F e + iVf + 1. 
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We find it useful to identify the following corollary that states that in any coalition t, pro- 
duce(p,v) must be invoked for all p G t-p, which follows from the fact that produce(p, v) G ^xoC "*)- 

Corollary 7. For any t G 7p, ift follows a profile of strategies from Ef(ax), then for each p G t-p, 
p invokes produce(p, v). 

Let e ; Et £ Nc be a function that for each profile a x returns an instance of the data 
structure evidence G £ Nc stored by TO when it produces evidence about the transfer, by replacing 
any entrance corresponding to a Byzantine player by the value _L, i.e., if c G Tq an d e = e((Tj), 
then e[c] = JL, and if p G Tp, then e[c][p] = _L for all c G C \ Tc- 

We state the following proposition that e depends only on the observable behaviour of each 
player: 

Proposition 8. For any t G T and for any profile a x G £%, if <Pj , 0^ cr i^ = ^TO^* 7 ^' then 
e(er*) = e(a x ). 

We show in the following theorem that if each coalition t follows a strategy from ^(crjf), then 
the algorithm tolerates collusion. Fix any arbitrary / G T such that f^fp < Fp and fffc < Fc- By 
assumption, Np > m.ax.(Fp , Nj-) + Fp + 1 and Nc > Fc + Nj- + 1, and let I denote an arbitrary 
partition of X \ ({TO}U/) such that, for any t G I, jftp < Nj- and jftc < Nj-. We use the notation 
#(e, m) to denote the frequency of element e in the multi-set m. 

Theorem 9. For some arbitrary partition I , and for any cr* x = ((o"t)igj )0 -*g 1 E t ( - 2; )> (, 7T p)pef- P , (^tOce/c)? 
i/ a// players follow cr^-, then the NBART properties are fulfilled. 

Proof. Notice that, in this scenario, it is also true that: 1) Np > 2Fp + 1 and 2) Nc > i*b + 1- 
Let us fix some arbitrary t G 7c H / and c G tc • The correctness is proved for each of the NBART 
properties: 

— (Validity): consume(c,v) G ^q(<Tj), where u must be a value for which there are Fp + 1 
signatures of h v , otherwise ^TO^x) ^ ^TO^ 1 ) anc ^ °"* ^ Eti&x)- By 1) and Corollary [TJ 
there is only one value that fulfils these restrictions, which is the value produced by all non- 
Byzantine producers. 

— (Integrity): Since the players of t follow a* t and <x* G St(crx), #( consume (c, v), 4>TO ( a t)) = 1- 

— (Agreement): It follows directly from Validity and Corollary [71 

— (Eventual Consumption): Since </> c (<Tj) = (pd^x), t receives blocks from all the non-Byzantine 
producers from prodset c \ tp. If f^(prodset c \ t-p) > Fp + B, then c eventually gathers B blocks 
corresponding to the correct value, otherwise, jftp > 1 and by Corollary [7J some producer of t 
produces the value. In either case, by the definition of £t((Tz), c must invoke consume(c,v). 

— (Evidence): It follows from the fact that TO is Altruistic. 

— (Producer and Consumer Certification): By the definition of Ut(o~i), 0X0 (°z) = ^TO^^) - 
By Theorem [5] and by 1) and 2), if all players follow ax, then the properties NBART 6-7 are 
fulfilled for e = e(crj). It follows from Proposition [8] that e(a T ) = e. Since the value of the 
predicates only depends on e, then these properties also hold in this new scenario. 

□ 

We now provide the proofs that the profile of strategies ax where all players follow the algorithm 
is (N^ + Nj-, Nj^, iVf )-cotolerant for Np > max(F-p, N£) + Fp + 1 and N c > F c + iVf + 1. The 
following two lemmas show that, for each t G T the expected benefit is for all i G t, whenever 
players of t follow a profile of strategies from Et \ Sf(a x ). Recall that we assume that the players 
are risk averse. Therefore, the analysis is done assuming worst case Byzantine behaviour. 
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Lemma 10. For any t G Tc, let cr' t G St \ St(crz) be any profile of strategies where t does not 
ensure that for all c G tc and p G "P, c certifies p and invokes consume(c, v), and, for each, p G tp 
p invokes produce(p, v ). Then, for all i G t, (3i(cr' t , o- x \t) = 0. 

Proof. Assume worst case Byzantine behaviour. If n > 1 producers are not certified by all consumers 
of t, those n producers are certified by less than Nc — Fq consumers. Since #tp < N-p — Fp, 
#V < Np — n — Fp < Np — Fp. Conversely, if consumers from tc do not consume the correct 
value, then it is true that f^C < Nc — Fq, due to the fact that #ie < Nc — Fc- By the definition 
of the predicates, for all p G tp and c G tc, hasProd(evidence,p) and hasAck (evidence, c) are false. 
Therefore, for all i G t /3i(cr' t , crx\t) = 0. □ 

Lemma 11. For any t &7~, let (r' t 6 St \ St(crx). Then, for all i £ t, /3i(cr' t ,crz\t) = 0- 

Proof. Assume worst case Byzantine behaviour. By the definition of St(crx), there exists j G 
1 \ (T U t) such that 4>j(cr' t ) ^ 4>j(o- t ), which implies that not all expected events are triggered 
in j for some player i G t, some consumer does not consume the correct value, or some producer 
does not produce the correct value. If j is a consumer or a producer, then it follows directly from 
Lemma [10] that, for all i G t, fii{<j' t , (T X \t) = 0- If 3 ls TO, then either 1) i is a producer, and i is 
not certified by some consumer or does not produce the value; or 2) i is a consumer, and i does not 
certify some player or does not consume the value. In both cases, by Lemma [TPl it is true that for 
alH G t, Pi(tr' t ,tTx\t) = 0- □ 

The following theorem concludes that the proposed algorithm is (N^ +Nj-, Nj-, iVj-)-cotolerant. 

Theorem 12. Let cr% G S% denote the profile of strategies where all players follow the algorithm. 
Then, a x is + A r f , N%-)-cotolerant. 

Proof. Let t G T be any coalition such that j^tp < Nj- and f^tc < N$-. By Theorem [91 for all 
p G tp, /3 p (crz) = ftp and for all c G tc, ficipx) = fic- Therefore, for all i G t, fii{(Tz) > ai(crz) and 
Ui(crz) > 0. Furthermore, it follows from Lemma [UJ that for all cr' t G St\St(crz), Pii&t-, °"z\t) = 0- 
Therefore, Ui(cr' t ,crz\t) < < u~i(crz), which implies that crj y t {cr' t , crz\t)- Consequently, for all 
<r| G S t (cTz), if ((Tti CT x\t) ^.t °"Z: then (ffj , ffju) ^ t (trj, <Tiu). This allows us to conclude that <tj 
is (N^ + iVf , iV^, iVf )-cotolerant. □ 

4.4 Discussion 

Some important consequences result from Theorems l9l and 1121 One is that crj is (1, 1, l)-cotolerant. 
By the definition of >zt for any t G T such that #i = 1 and by the fact that S t {(Jz) = °"2 is 

a A^as/i equilibrium. 

Another important result is that no producer p G tp from any non-Byzantine coalition t can 
avoid sending the expected Summary and Block messages to consumers not from tc- The same 
applies to Report messages sent by consumers to TO. Therefore, for any i G t, the expected utility 
of delaying messages to players not from t is at most as high as the utility of following the algorithm. 
Therefore, by the promptness principle, players never delay messages between different coalitions. 
Concerning the messages exchanged between players from the same coalition, we do not guarantee 
that players do not incur any communication delays. Though, if these messages are mandatory to 
ensure that all players of the coalition are rewarded, then, if there is any delay, it must be finite, 
otherwise, the expected utility is the same as not sending these messages, i.e., at most 0. 

Acknowledgements 

This work was partially supported by the FCT (INESC-ID multi annual funding through the 
PIDDAC Program fund grant and by the project PTDC/EIA-EIA/102212/2008). 



12 



References 



1. Anderson, D.: Boinc: A system for public-resource computing and storage. In: Proceedings of the 5th IEEE/ACM 
International Workshop on Grid Computing. GRID'04, Pittsburgh, PA, USA, IEEE (November 2004) 4-10 

2. Aiycr, S., Alvisi, L., Clement, A., Dahlin, M., Martin, J. P., Porth, C: BAR fault tolerance for cooperative 
services. In: Proceedings of the 20th ACM Symposium on Operating Systems Principles. SOSP'05, Brighton, 
United Kingdom, ACM (October 2005) 45-58 

3. Vilaca, X., Leitao, J., Correia, M., Rodrigues, L.: N-party BAR transfer. In: Proceedings of the 15th International 
Conference On Principles Of Distributed Systems (to appear). OPODIS'll, Toulouse, France (December 2011) 

4. Eliaz, K.: Fault-tolerant implementation. Review of Economic Studies 69(3) (August 2002) 589-610 

5. Moscibroda, T., Schmid, S., Wattenhofer, R.: On the topologies formed by selfish peers. In: Proceedings of the 
25th Annual ACM SIGACT-SIGOPS Symposium on Principles of Distributed Computing. PODC'06, Denver, 
CO, USA, ACM (July 2006) 133-142 

6. Wong, E.L., Clement, A., Levy, I., Alvisi, L., Dahlin, M.: Regret freedom isn't free. In: Proceedings of the 
15th International Conference On Principles Of Distributed Systems (to appear). OPODIS'll, Toulouse, France 
(December 2011) 

7. Aumann, R.J.: Acceptable points in General Cooperative $n$-person Games. In: Contributions to the Theory of 
Games IV. Number 40 in Annals of Mathematics Studies. Princeton University Press, Princeton (1959) 287-324 

8. Bernheim, B., Peleg, B., Whinston, M.: Coalition-proof nash equilibria i. concepts. Journal of Economic Theory 
42(1) (June 1987) 1-12 

9. Moreno, D., Wooders, J.: Coalition-proof equilibrium. Games and Economic Behavior 17(1) (November 1996) 
80-112 

10. Abraham, I., Dolev, D., Gonen, R., Halpern, J.: Distributed computing meets game theory: robust mechanisms 
for rational secret sharing and multiparty computation. In: Proceedings of the 25th Annual ACM SIGACT- 
SIGOPS Symposium on Principles of Distributed Computing. PODC'06, Denver, CO, USA, ACM (July 2006) 
53-62 

11. Clement, A., Napper, J., Li, H., Martin, J. P., Alvisi, L., Dahlin, M.: Theory of BAR games. In: Proceedings of the 
26th Annual ACM SIGACT-SIGOPS Symposium on Principles of Distributed Computing. PODC'07, Portland, 
OR, USA, ACM (August 2007) 358-359 

12. Li, H., Clement, A., Wong, E., Napper, J., Roy, I., Alvisi, L., Dahlin, M.: BAR gossip. In: Proceedings of the 7th 
USENIX Symposium on Operating Systems Design and Implementation. OSDF06, Seattle, WA, USA, USENIX 
Association (November 2006) 191-204 

13. Li, H., Clement, A., Marchetti, M., Kapritsos, M., Robison, L., Alvisi, L., Dahlin, M.: Flightpath: Obedience 
vs choice in cooperative services. In: Proceedings of the 8th USENIX Symposium on Operating Systems Design 
and Implementation. OSDI'08, San Diego, CA, USA, USENIX Association (December 2008) 355-368 

14. Mokhtar, S., Pace, A., Quema, V.: FireSpam: Spam resilient gossiping in the BAR model. In: Proceedings of 
the 29th IEEE International Symposium on Reliable Distributed Systems. SRDS'10, New Delhi, India, IEEE 
(October 2010) 225-234 

15. Wong, E.L., Leners, J.B., Alvisi, L.: It's on me! the benefit of altruism in BAR environment. In: Proceedings of 
the 25th International Symposium on Distributed Computing. DISCT0, Cambridge, USA, Springer (September 
2010) 406-420 

16. Cachin, C, Guerraoui, R., Rodrigues, L.: Introduction to Reliable and Secure Distributed Programming. 2nd 
edition edn. Springer- Verlag New York, Inc. (2011) 



13 



